LDAP authentication is limited hosts within campus only. This docunment explain the technical detail of LDAP authentication service.
NOTE: Web based application SHOULD NOT use this service. Instead you should use CAS to authenticate your user, please reference to CAS of the Authentication service for more information.
A formal request for access is required. The requesting entity must meet certain security criteria to get access to the LDAP service. Please send email to email@example.com with the information below to request the access
- Email Subject: Request for LDAP authentication
- 2 Technical contacts
- Department which owned the application
- Application description in brief
- IP address(es) require LDAP authentication
After the request have been approved, a service account will be given to you. And you could use the service account to access the LDAP service and authenticate the user.
LDAP Connection parameter
Port: 389 for StartTLS, 636 for SSL (non-encrypted connection is not allowded)
Base DN: dc=ust,dc=hk
uid - ITSC network account name
mail - E-mail address of the user
sn - Surname
givenname - Given name
cn - Full name
departmentnumber - department code of the account belongs (e.g. ITSC, ISO, etc)
eduPersonAffiliation - account type: staff / undergrad / postgrad / department / project
eduPersonPrincipalName - <ITSC account name> + @ust.hk
LDAP Lockout Policy
User account will be lockout (ban for authenticate) after 10 incorrent login attempts in 1 minute. After 2 minutes, the user's account will be unlocked and login attempts may continue.